wick2o Posted December 30, 2008 Posted December 30, 2008 According to http://virusscan.jotti.org/ it bypasses all buy AntiVir. I have also tested with the latest version of norton. I just got sick of AV's removing my netcat from my usbkey. I'd love to upload my patch, but exe files seem to be rejected. PM me if your interested, or if you have a place it can be uploaded for and then linked to. <edit> I have uploaded the file to rapidshare. Click Here In short, I added a NOP in the sig for norton, and then encrypted the rest of the .text section with a VERY simple xor script to hide it from the rest. There are a few anti-virus programs that appear to use the .data section in their sig, still working on encrypting that without destroying the programs functionality. </edit> Quote
coyotepedia Posted January 21, 2009 Posted January 21, 2009 I don't know about Norton, but it certainly gave my copy of AVG fits. Too bad, since I've had the same problem with losing things from my USB key. Quote
SomethingToChatWith Posted January 23, 2009 Posted January 23, 2009 Create a batch to rename the files with an unkown extension or remove .exe altogether. Than when you want to use the program have another batch that'll restore the extensions. Had to do this with Cain on my usb because McAfee would auto-remove it. Quote
Iain Posted January 23, 2009 Posted January 23, 2009 Create a batch to rename the files with an unkown extension or remove .exe altogether. Than when you want to use the program have another batch that'll restore the extensions. Had to do this with Cain on my usb because McAfee would auto-remove it. I'm amazed that such a simple tweak works to prevent AV doing it's "thing". I was under the impression that AV looks at data within the file (as a signature), rather than simply the file extension. Quote
sablefoxx Posted January 23, 2009 Posted January 23, 2009 Mirror: http://dl.getdropbox.com/u/341940/netcat-patch.rar Netcat + Source: http://dl.getdropbox.com/u/341940/netcat.rar (Yay no rapid share) Quote
SomethingToChatWith Posted January 24, 2009 Posted January 24, 2009 It doesn't scan the contents of the file until you actually try to run it. The only other time where it would auto-remove based on content otherwise is if you got realtime scanning enabled on a half way decent security suite and are copying/moving the file to another disk/location. Quote
Zaitsevs Posted January 27, 2009 Posted January 27, 2009 I think you can add exceptions to drives and paths in AVG or basically any antivirus software. I remember having to do it when I used norton 2003, and then switched over to AVG I did the same thing for my hacktoolz dir. Quote
wick2o Posted February 22, 2009 Author Posted February 22, 2009 I think you can add exceptions to drives and paths in AVG or basically any antivirus software. I remember having to do it when I used norton 2003, and then switched over to AVG I did the same thing for my hacktoolz dir. Thats great until you want to run your tools on another computer. Quote
SomethingToChatWith Posted February 22, 2009 Posted February 22, 2009 Here's another idea. See if you can fool it by having it in a zip or cab file and than just copying out the programs when you need them. You might be able to run them from zip/cab if you're lucky, but don't be suprised if it doesn't. Quote
Webhostbudd Posted February 22, 2009 Posted February 22, 2009 It doesn't scan the contents of the file until you actually try to run it. The only other time where it would auto-remove based on content otherwise is if you got realtime scanning enabled on a half way decent security suite and are copying/moving the file to another disk/location. Most antiviruses with real time protection and even on demand scanners, scan by file extension. Basically if you make it a random extension that the AV has no clue about, it will not scan for it. I believe this is to speed up time on the AV's part. If you do an on demand scan of the specific file(even with the extension changed), it will most likely remove it. Quote
SomethingToChatWith Posted February 22, 2009 Posted February 22, 2009 Yes I know its not likely you could get away with it. Ok... here's a more solid example of what I mean: I put netcat in an iso file to keep on my hard drive. Real-time scans don't do anything to it. Even if it does detect it during a manual/automatic scan, it can't remove it because its a disc image... unless it actually just considered the whole .iso a bad file. Quote
DingleBerries Posted February 23, 2009 Posted February 23, 2009 Yes I know its not likely you could get away with it. Ok... here's a more solid example of what I mean: I put netcat in an iso file to keep on my hard drive. Real-time scans don't do anything to it. Even if it does detect it during a manual/automatic scan, it can't remove it because its a disc image... unless it actually just considered the whole .iso a bad file. your virii protection is shit then. Quote
SomethingToChatWith Posted February 23, 2009 Posted February 23, 2009 Well actually, I havent put this to practice for myself. I usually just rename the files as suggested before. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.